Maladaptive Behaviour in Phishing Susceptibility: How Email Context Influences the Impact of Persuasion Techniques

Abstract

With over 80-90% of cyber incidents occurring in businesses and home settings often due to human errors in decision making (CybSafe, 2020; World Economic Forum, 2022; Verizon, 2022), a human-centric approach to cyber-security is needed to understand mechanisms behind maladaptive behaviours. One key area is susceptibility to phishing emails. Whilst some have investigated the success of different persuasion techniques in phishing susceptibility – most notably use of authority, urgency, and scarcity – less is known about how the wider context of the email (e.g., financial vs a work-related event) could influence the success of such techniques. The current paper presents initial findings from a repeated measures experiment where 271 participants included in the final analysis, recruited via Prolific (2022), judged whether they would or would not respond to presented email content containing a range of contexts and persuasion techniques. Diverging from previous research, participants were not necessarily more likely on average to respond to emails containing a persuasion technique, with large differences in persuasion success greatly depending upon the email context – with the proportion of response likelihood varying from 13.3% to 87.5% of participants choosing to respond. From this, not only do we demonstrate the successful impact of the main persuasion techniques and email context combinations upon phishing, but how overreliance on available information can bias individuals to engage in maladaptive cyber security behaviours.